cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
407
Views
0
Helpful
3
Replies

Restricted Interface Pass-Through

pootboy69
Level 1
Level 1

I have an ASA 5500 and need to connect a network to e0/3 that sends ALL outbound traffic directly and ONLY to e0/1.  The purpose of this is to restrict access from a switch on the e0/3 interface, for use by visitors and vendors, and prevent access to the internal networks, connected to the same ASA at e0/0.  For the purpose of suggested responses, let's call e0/3 "Guest" and e0/1 "DSL."  I thought I knew how to do this with an "access-list inside_out extended permit ip interface Guest interface DSL", but I must still be missing something.  Thanx!

1 Accepted Solution

Accepted Solutions

If your guest interface is higher security level than the outside check your routes to make sure you are going out the outside interface and your Guest Interface ACL. Also if you tests are pings make sure you have icmp inspection enabled.

Now as for restricting the Guest interface to go out only one destination I would suggest using a Guest interface ACL to allow only destinations that reside on the outside interface that you want.

I hope it helps.

PK

View solution in original post

3 Replies 3

Jitendriya Athavale
Cisco Employee
Cisco Employee

well i would say the best and the most simplest way for this is make inside networks as secu level 100 outside dsl as 0 and guest as something like 80 or 90 basically less than 100 and more than 0.

so what will happen now is to move from a lower to higgher security zone you will need to specify acl, if not everyhting is denied. so that way from gues to inside everything is denied

from guest to outside it is allowed as traffic is now higher to lower security zone, so all you need for guest users to go to internet is nat them on outside

Thank you for that speedy reply!  Yes, my internal interface is at security level 100, my outside interface is at security level 0, and my public access interface is at security level 50.  I have applied "global (DSL) 15 interface", and "nat (Guest) 15 0", but this does not work.  I can ping the "Guest" interface on the ASA from the Guest network, but nothing on the outside interface.  What am I missing?

In addition, Since I have TWO outside interfaces with a security level of 0, how would I restrict the Guest interface to ONLY use one specific outside interface, and never the other?

If your guest interface is higher security level than the outside check your routes to make sure you are going out the outside interface and your Guest Interface ACL. Also if you tests are pings make sure you have icmp inspection enabled.

Now as for restricting the Guest interface to go out only one destination I would suggest using a Guest interface ACL to allow only destinations that reside on the outside interface that you want.

I hope it helps.

PK

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: